1

I have given a host an 10.0.x.x address in out public dns. (The reasons are irrellevant)

The host can be reached from our locations through vpn, however, one site behind a Tomato can not resolve the host.

I've tried from a client, pinging and tracerouting from router gui,but the internal.example.com is not resolved.

Could the dns in the router be intercepting dns-lookups which return RFC1918-answers? Could the ISP? But I'm queying 8.8.8.8, and the domain is, according to https://www.whatsmydns.net is resolvable from all over the world. (except a server in Turkey, which returns 195.175.254.2 for all hosts in our domain.)

EDIT Something fishy is going on. The tomato router have a window I can run commands in. Even if I make a nslookup on a non-existant server, Iget replies:

 # nslookup microsoft.com 254.254.254.254
Server:    254.254.254.254 
Address 1: 254.254.254.254

Name:      microsoft.com 
Address 1: 13.77.161.179 
Address 2: 40.76.4.15 
(...)

So something is definitely intercepting the dns lookups.

I'll have to ask my ISP

Lenne
  • 987
  • 1
  • 13
  • 32
  • 1
    Yes, routers can be configured to reject global DNS responses with RFC1918 addresses. Some do this by default. – Michael Hampton Dec 06 '18 at 18:38
  • To find out if you are really using `8.8.8.8` you can try `dig txt o-o.myaddr.l.google.com` – kasperd Dec 07 '18 at 12:26
  • 1
    Cool. Unfortunately nslookup in busybox on the router does not support options to do anything else than A/AAAA lookups. But I added the 10.0.x.x to dnsmasq, and now it resolves. – Lenne Dec 07 '18 at 12:40
  • @MichaelHampton I asked a large festival what DNS server they had in their extensive internal network. Was primly told to use an external DNS to setup resolution to internal IP's (I was hosting a AR guidance app). That just seemed wrong .. and per your note, now I know why. No control. – J. Gwinner Feb 02 '23 at 01:01

1 Answers1

2

Public DNS names that resolve to private addresses can be used to trick a browser into attacking internal network devices, thinking they belong to the domain that is displayed in the browser. To prevent this, DNS servers can be configured to not return these private addresses if they are found in a DNS response.

Your second discovery is independent of the first. Most routers use busybox for many common tools. Busybox provides the commonly used functions of many Unix utilities but aims for small size at the expense of rarely used functionality. Some versions of busybox ignore the DNS server in the second argument and just query the default resolver.

RalfFriedl
  • 3,108
  • 4
  • 13
  • 17
  • So busybox might be telling me it's using one server, but really using another? Darn, why lie to me? It should display what server it's really using when it is ignoring what I tell it. Anyway, to overrule the first part, I have now entered the name/ip in the config for dnsmasq. I can now lookup the ip from the router. – Lenne Dec 07 '18 at 07:10
  • The Busybox version where I discovered this behavior didn't exactly lie, it didn't know or care for the DNS server used. It would just use gethostbyname and could therefor also use names from /etc/hosts. I agree that this behavior is not desirable. – RalfFriedl Dec 07 '18 at 17:47
  • 1
    At it should say it's using another server than I ask it to – Lenne Dec 07 '18 at 17:50